From f055a66a380fc7afe81daac2a452f4048052fa3c Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Thu, 1 Oct 2015 17:28:49 -0400 Subject: [PATCH] crypto: enable FIPS only when configured with it Do not rely on `OPENSSL_FIPS` in `node_crypto.cc` when building with shared FIPS-enabled OpenSSL library. Enable FIPS in core only when configured with `--openssl-fips`. Fix: https://github.com/nodejs/node/issues/3077 PR-URL: https://github.com/nodejs/node/pull/3153 Reviewed-By: Ben Noordhuis --- node.gyp | 3 +++ src/node_crypto.cc | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/node.gyp b/node.gyp index 0e2fd3ae443449..22079785d951f4 100644 --- a/node.gyp +++ b/node.gyp @@ -228,6 +228,9 @@ 'src/tls_wrap.h' ], 'conditions': [ + ['openssl_fips != ""', { + 'defines': [ 'NODE_FIPS_MODE' ], + }], [ 'node_shared_openssl=="false"', { 'dependencies': [ './deps/openssl/openssl.gyp:openssl', diff --git a/src/node_crypto.cc b/src/node_crypto.cc index bdfd1b62f3e34a..6d5403b563118f 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -5323,13 +5323,13 @@ void InitCryptoOnce() { CRYPTO_set_locking_callback(crypto_lock_cb); CRYPTO_THREADID_set_callback(crypto_threadid_cb); -#ifdef OPENSSL_FIPS +#ifdef NODE_FIPS_MODE if (!FIPS_mode_set(1)) { int err = ERR_get_error(); fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL)); UNREACHABLE(); } -#endif // OPENSSL_FIPS +#endif // NODE_FIPS_MODE // Turn off compression. Saves memory and protects against CRIME attacks.